Early this morning, an urgent bug appeared in the Red Hat bugzilla tracker ̵1; a user discovered that the RHSA_2020: 3216 grub2 security update and the RHSA-2020: 3218 kernel security update made the RHEL system 8.2 which cannot be started. The bug has been reported as reproducible on any clean minimum installation of Red Hat Enterprise Linux 8.2.
The patches were meant to close a vulnerability recently discovered in the GRUB2 boot manager called BootHole. The vulnerability itself has left a method for system attackers to potentially install malware “bootkit” on a Linux system despite the system being protected with UEFI Secure Boot.
RHEL and CentOS
Unfortunately, the Red Hat patch for GRUB2 and the core, once applied, are leaving patch systems untouched. The issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and may also affect RHEL 8.1 and 7.9. Distribution derived from RHEL CentOS is also affected.
Red Hat is currently advising users not to apply GRUB2 security patches (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues have been resolved. If you run an RHEL or CentOS system and believe that you may have installed these patches, do not restart your system. Reduce the level of packages affected by use
sudo yum downgrade shim* grub2* mokutil and configured
yum not to update those packages by adding them temporarily
exclude=grub2* shim* mokutil to
If you have already applied the patches and tried (and failed) to restart, boot from a RHEL or CentOS DVD in Troubleshooting mode, shut down the network, then perform the same steps described above to reinstall functionality in your system.
Although the error was first reported in Red Hat Enterprise Linux, apparently the reports related to the schedules are being carried by other distributions from different families as well. Ubuntu and Debian users are reporting systems that can’t boot after installing GRUB2 updates, and Canonical has released a consultancy that includes instructions for recovery on affected systems.
Although the impact of the GRUB2 bug is similar, the scope may differ from distribution to distribution; so far it seems that the Debian / Ubuntu GRUB2 bug is only affecting systems starting in BIOS mode (not UEFI). A commitment has already been made to Ubuntu
proposed repository, tested, and released for its
updates repository. Updated and released packages,
grub2 (2.02~beta2- u
grub2 (2.04-1ubuntu26.2) focal, should solve the problem for Ubuntu users.
For Debian users, the setting is available in a new committed package
We have no word at this time about the flaws or impact of GRUB2 BootHole patches on other distributions such as Arch, Gentoo, or Clear Linux.